Details
-
Type:
Bug
-
Status: Closed
-
Priority:
Normal
-
Resolution: Fixed
-
Affects Version/s: PUP 3.8.7, PUP 4.5.2
-
Component/s: None
-
Labels:None
-
Template:customfield_10700 137324
-
Story Points:0
-
Sprint:Client 2016-06-29, Client 2016-08-10
-
CS Priority:Reviewed
-
Release Notes:Bug Fix
-
Release Notes Summary:Puppet now correctly connects to Pypi when managing packages with pip
Description
Pypi changed behaviour today because of vulnerabilities in urrlib, which
is used by pip.
http://blog.blindspotsecurity.com/2016/06/advisory-http-header-injection-in.html
Pypi changed to denying http requests entirely instead of redirecting to
https. (I guess? I don't really understand)
Without this patch:
root@derpderp:~# cat foo.pp
package
root@derpderp:~# puppet apply foo.pp
Warning: Setting templatedir is deprecated. See http://links.puppetlabs.com/env-settings-deprecations
(at /usr/lib/ruby/vendor_ruby/puppet/settings.rb:1139:in `issue_deprecation_warning')
Notice: Compiled catalog for derpderp in environment production in 0.14 seconds
Error: Could not get latest version: HTTP-Error: 403 Must access using HTTPS instead of HTTP
Error: /Stage[main]/Main/Package[diskimage-builder]/ensure: change from 1.17.0 to latest failed: Could not get latest version: HTTP-Error: 403 Must access using HTTPS instead of HTTP
Notice: Finished catalog run in 0.67 seconds
So this breaks any puppet 3.x using the default pip provider.
With this patch, it just works.
Attachments
Issue Links
- is duplicated by
-
-
- Closed
-
